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Introduction to NetWare 6.5 Securitv 


NetWare 6.5 includes products and services that allow vou to centrallv manage access to vour 
systems and resources. They allow you to safeguard your resources from intruders and too present 
your customers, partners, and employees with a dynamic combination of information, resources, 
and processes-all based on their relationship with your business. 


The following list provides an overview of the products and services available with this release: 
Authentication 


+ Novell Modular Authentication Service (NMAS) 


+ Universal Password 


Encryption 
+ Novell International Cryptographic Infrastructure (NICI) 


Public Key Infrastructure 


Novell Certificate Server 


Each product and service is described in more detail in Chapter 2. 
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Products and Services 


This chapter discusses the products and services included in NetWare 6.5 that are related to 
securitv. Novell provides other securitv products and services that can be purchased and installed 
separatelv. 


Authentication 


The following products deal with advanced authentication and authorization. 


Novell Modular Authentication Service (NMAS) 


Novell Modular Authentication Service (NMAS) is designed to help vou protect information on 
vour network. NMAS provides additional wavs of authenticating to Novell eDirectorv on 
NetWare, Windows, and UNIX networks to help ensure that the people accessing vour network 
resources are who thev sav thev are. 


In previous releases of NetWare and eDirectorv, Novell bundled an evaluation version of NMAS 
(Standard Edition) that was a scaled-down version of NMAS Enterprise Edition. Novell no longer 
provides a standard edition and an enterprise edition. Starting with NetWare 6.5, Novell provides 
a fullv functional version of NMAS to the products that bundle it. 


The NMAS server components are installed as part of the NetWare 6.5 installation process. You 
must also install the NMAS client on each workstation that will be authenticating using NMAS. 


NMAS provides multiple login methods to choose from based on the three login factors 
(password, physical device or token, and biometric authentication). For example, you can have 
users log in using a password, a fingerprint scan, a token, a smart card, a certificate, a proximity 
card, etc. Or you can have them log in using a combination of methods which provides a higher 
level of security. Some login methods require additional hardware and software not included with 
the NMAS product. Make sure that you have all of the necessary hardware and software for the 
methods you will use. 


NMAS includes several login methods in the software build in the nmasmethods folder. Other 
third-party methods are available for download. For information on the availablel third-party login 
methods, see the NMAS Partner’s Web site (http://www.novell.com/products/nmas/partners). 
Each method will have a readme.txt file or a readme.pdf file that will include specific installation 
and configuration instructions. 


For more information on how to use NMAS, see the Novell Modular Authentication Service 
Administration Guide. 
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Universal Password 


One Password 


NetWare 6.5 includes some enhancements in the wav passwords are handled and maintained. 
These changes provide several benefits. 


In the past, administrators have had to manage multiple passwords (simple password, NDS RSA 
passwords) because of password limitations. Administrators have also had to deal with keeping 
the passwords synchronized. 


+ NDS RSA Password - The older NDS RSA password is stored in a hash form which is non- 
reversible in eDirectory. Only the NDS RSA system can make use of this password, and it 
cannot be converted into any other form for use by any other system. 


¢ Simple Password - The simple password provides a reversible value stored in an attribute on 
the user object in eDirectory. NMAS securely stores a clear text value of the password so that 
it can use it against any type of authentication algorithm. To ensure this value is secure, 
NMAS uses either a DES key or a triple DES (key depending upon the strength of the Secure 
Domain Key) to encrypt the data in the NMAS Secret and Configuration Store. 


The simple password was originally implemented to allow administrators to import users and 
hashed passwords from foreign LDAP directories such as Active Directory and iPlanet. 


The limitations of the simple password is that only NMAS has rights to the password attribute 
stored on the User object and only NMAS has the key to decrypt the password value. 


¢ Password Synchronization 


Universal password addresses these problems by creating a single password that can be used by 
all protocols to authenticate users. 


The Universal Password is managed by the Secure Password Manager (SPM), a component of 
NMAS module (NMAS.NLM on NetWare). SPM simplifies the management of password-based 
authentication schemes across a wide variety of Novell products as well as our partner’s 
products.The managment tools will only expose one password and will not expose all of the 
behind-the-scenes processing for backwards compatibility. 


The NDS RSA change password verbs can be disabled to keep the passwords from going out of 
synchronization under the covers. The administrator can disable these verbs if they desire to 
prevent older clients from changing passwords and causing synchronization problems. 


All of the password restrictions and policies (expiration, minimum length, etc.) are supported. 


Secure Password Manager (SPM) and the other components that manage or make use of Universal 
Password are installed in the NetWare 6.5 install. Since all APIs for authentication and setting 
passwords are moving to support Universal Password, all the existing management tools, when run 
on clients with these new libraries, automatically work with the Universal Password. 


The Novell Client also supports the Universal Password. It will also continue to support NDS RSA 
for older systems in the network. The Novell Client has the capability of automatically upgrading 
to the new Password from the NDS RSA password. 


Backward Compatibility 


Older NDS RSA clients in the network continue to authenticate. They do not know that itis NMAS 
Universal Password that is being handled for them. Older clients cannot change the NDS RSA 
password to avoid problems. This can be turned back on by the administrator, but is off by default. 
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Since a network may contain older NetWre 5.1 and NetWare 6 servers running prior versions of 
Native File Access, or may have older printers and clients that only know the NDS RSA password, 
the NDS RSA and simple password values are kept synchronized, so that as eDirectory replicates 
these values to older servers, their services can still function and the passwords can remain 
synchronized. 


International (Extended) Characters in Passwords 


Encryption 


In the past, Novell has not supported international or extended characters in passwords. In some 
instances passwords with these extended characters would work, but it was only by chance. 
Extended characters were handled in different ways by the utilities. 


Now, all Novell utilities will be UTF8 encoded. When a password is reset by a user or an 
administrator, the SPM will take the unicode password and convert it to a Universal Password 
(UTF8-encoded) and reset the NDS password. It will also reset the simple password if there is one. 


Also, DSAPI, the module that handles the set password and change password in ConsoleOne and 
NWADMIN, will check the password. If it is a Universal password (UTF8 encoded), the extended 
character password will be accepted. If it is not UTF8 encoded, DSAPI will only allow a 7-bit 

ASCII password. This will cause some applications that use extended character passwords to fail. 


A work around for this is to change your extended character passwords to 7-bit ASCII passwords, 
then upgrade your system to use Universal Password. Then you can reset the passwords to 
extended character passwords again. 


For users that are not using Extended Characters in their passwords, the transition to Universal 
Password should be transparent.If a user is using both the NDS password and the Simple 
Password, the user’s NDS password will be set to the Simple Password after they use the Simple 
Password to log into NetWare 6.5 through CIFS, AFP, or the Simple Password login method. 


For a more details about deploying the Universal Password, see the Universal Password 
Deployment Guide. 


Novell International Cryptography Infrastructure (NICI) 


The Novell International Cryptography Infrastructure (NICI) is Novell’s solution to a cross- 
platform, policy-driven, independently certified, and extensible cryptography service. NICI is the 
cryptography module that provides keys, algorithms, various key storage and usage mechanisms, 
and a large-scale key management system. 


NICI controls the introduction of algorithms and the generation and use of keys. NICI allows a 
single commodity version of security products to be produced for worldwide consumption that 
supports strong cryptography and multiple cryptographic technologies. Initial services built on this 
infrastructure are Directory Services (Novell eDirectory), Novell’s Modular Authentication 
Service (NMAS), Novell Certificate Server, Novell SecretStore®, and TLS/SSL. 


NICI includes the following key features: 


¢ Supports Industry Standards - NICI is implemented following recognized industry standards. 
+ Certified - NICI is FIPS-140-1 certified on selected platforms. 
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+ 


+ 


Cross-platform Support - NICI is available on a variety of operating systems and platforms. 


Complies with Governmental Export and Import Regulations - It has cryptographic interfaces 
that are exportable from the U.S. and importable into other countries with government- 
imposed constraints on the export, import, and use of products that contain embedded 
cryptographic mechanisms. 


Secure and Tamper Resistant Architecture - The NICI architecture uses digital signatures to 
implement a self-verification process such that consuming services may be assured that NICI 
has not been modified or tampered with when NICI is initialized. 


For more information on how to use NICI, see the NICI Administration Guide. 


Public Key Infrastructure (PKI) 


Novell Certificate Server 
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Novell® Certificate Server provides public key cryptography services that are natively integrated 
into eDirectory® and that allow you to mint, issue, and manage both user and server certificates. 
These services allow you to protect confidential data transmissions over public communications 
channels such as the Internet. 


Novell Certificate Server offers the following public key infrastructure services: 


+ 


Provides public key cryptography services on your network 


You can create an Organizational Certificate Authority (CA) within your eDirectory tree, 
allowing you to issue an unlimited number of user and server certificates. You can also use 
the services of an external certificate authority, or use a combination of both as your needs 
dictate. 


Controls the costs associated with obtaining and managing public key certificates 


You can create an Organizational CA and issue public key certificates through the 
Organizational CA. 


Allows public key certificates to be openly available while also protecting them against 
tampering 

Certificates are stored in eDirectory and can therefore leverage eDirectory replication and 
access control features. 


Allows private keys to be accessible to only the software routines that use them for signing 
and decrypting operations 


Private keys are encrypted by Novell International Crytography Infrastructure (NICI) and 
made available only to the software routines using them for signing and decrypting 
operations. 


Securely backs up private keys 


Private keys are encrypted by NICI, stored in eDirectory, and backed up using standard 
eDirectory backup utilities. 


Allows central administration of certificates using ConsoleOne™, You can also perform some 
administration tasks using Novell iManager™. 


ConsoleOne snap-ins are provided, allowing you to manage certificates issued from your 
Organizational CA or from any other CA that supports a certificate signing request in PKCS 
#10 format. The Novell iManager plug-in also allows you to some administration tasks. 
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+ Allows users to manage their own certificates 


Users can use ConsoleOne to export keys for use in cryptography-enabled applications 
without system administrator intervention. 


¢ Supports popular e-mail clients and browsers 


Novell Certificate Server allows you to create and manage user certificates for securing e- 
mail. Novell Certificate Server supports Group Wise® 5.5, Microsoft* Outlook98 and 
Outlook2000, Netscape* Messenger', and other popular e-mail clients. It’s also compatible 
with both Netscape Navigator* and Microsoft Internet Explorer. 


For more information on how to use Novell Certificate Server, see the Novell Certificate Server 
Administration Guide. 
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